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(57) A telephony server system having the capabil- 
ity of providing secure access to stored information and/ 
or facilities includes a telephony server (10) connected 
to telephones (1 4) (or other telephony equipment) either 
via the PSTN or via a PABX. The telephony sen/er (10) 
is. also connected to a database (16) holding details of 
authorised users' PI Ns. 

When a user rings In and attempts access to the 
telephony sen/er (10) by entering his PIN, if the PIN is 
valid according to the database (16), a random number 
is generated and sent to the user by a predetermined 
route such as via a paging system (24, 26). The user 
then enters the random number whereupon access to 
the information and/orfacilities is allowed. Since the ran- 
dom number can be used only once for each access 
attempt, subsequent fraudulent use of the PIN and ran- 
dom number will not allow further access. 
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Description 

This invention relates to telephony server systems 
having the capability of providing secure access to 
stored information and/or facilities. 

Telephony servers can store information, such as 
financial share prices and data, and/or messages de- 
posited by calling parties, for later retrieval. The infor- 
mation and/or messages can be provided in the form of 
voice, fax, video or data sent over a telephone line upon 
retrieval. It is known to provide secure access to such 
sen/ices, where the information may be confidential, by 
the use of a PIN (personal identification number) 
scheme. The appropriate PIN is entered by the retriev- 
ing caller, typically by means of one of a number of pos- 
sible interactive techniques such as MF (multi-frequen- 
cy), PULSE (pulse dial identification) or SIR (speaker 
independent recognition). The PIN entered by the re- 
trieving caller is checked against a database associated 
with the telephony sen/er to verify the caller's right to 
access the infornoation. Although this technique pro- 
vides a level of security, it has a number of disadvan- 
tages as a result of which the security can be compro- 
mised, these being set out in the following. 

Firstly, the Incoming line to the telephony sen/er 
could be monitored and the PIN recorded or othenwise 
identified, if entered using MF, PULSE or SIR. The 
number could then be used subsequently for unauthor- 
ised access. 

Secondly, the PIN could be overseen by another 
party when being entered by the authorised user; this 
again would provide the opportunity for subsequent un- 
authorised access. 

Thirdly, the central database could be accessed to 
obtain details of valid PIN codes and their application. 

Fourthly, data links between the telephony sen/er 
and the database holding the PIN code details could be 
monitored. 

The last two of these possibilities could to some ex- 
tent be made more secure by the use of complex data 
security methods. However, the first two possibilities 
cannot be addressed in the same way, since the com- 
mon interfaces to lelephqhy sen/ers. such as the PSTN 
(public switched telephone network), require simple in- 
teractive techniques to be used, such as f^F, the use of 
which can readily be obsen/ed by other parties. 

According to the invention there is provided a se- 
cure access telephony sen/er system comprising a te- 
lephony server for storing data and/or providing facilities 
for retrieval and/or use by an authorised user via a tel- 
ephone network, a database associated with the teleph- 
ony server and holding details of valid PINs correspond- 
ing to respective authorised users, the telephony server 
having means inhibiting access to the data and/or facil- 
ities unless a valid PIN held in the database is received 
upon attempted access, wherein the telephony server 
includes means for generating a random number upon 
receipt of a valid PIN during attempted access, and 



wherein the system includes means for sending the gen- 
erated random number via a transmission route deter- 
mined by the system and intended for the authorised 
user, access being further inhibited until the generated 

s random number has been received by the system from 
the party attempting access. 

A preferred embodiment of the invention, to be de- 
scribed in more detail below, effectively provides a com- 
bination of a telephony server and a one-off pad which 

10 provides secure access to information or facilities on 
one occasion only; after access, the security code as- 
sociated with the one-off pad is invalid and so cannot 
be re-used by a fraudulent user if recorded or othenwise 
identified. 

15 The Invention will now be described by way of ex- 
ample with reference to the accompanying single figure 
drawing which shows a secure access telephony server 
system according to an embodiment of the invention. 
Referring to the drawing, there is shown a telephony 

20 server 10, including a random number generator 12, 
connected to telephones 14 (or other telephony equip- 
ment such as fax machines, modems or video systems) 
either via the PSTN or via a PABX (private automatic 
branch exchange). The telephony server 1 0 is also con- 

25 nected to a database 16 holding details of authorised 
users and their PINs. 

The telephony sen/er 1 0 may, for example, be a Tel- 
sis Hi-Call, particular features of which are described in 
Internationa! Patent Application Publication No. WO 

30 92/22165. In that publication, the telephony sen/er is re- 
ferred to as a voice sen/ices equipment (VSE). Other 
terms include voice response system (VRS) or interac- 
tive voice response (IVR) equipment. 

A modem 18 connects the telephony sen/er 10 via 

35 the PSTN 20 and another modem 22 to a paging system 
transmitter 24. Paging transmissions are received by 
pagers 26 held by authorised users of the system. 

In use of the system, confidential information is 
placed on the telephony sen/er 10 either from callers 

40 (via the PSTN) or locally through a management inter- 
face. Users who are permitted access to such informa- 
tion are defined in the database 16. Once a message 
and/or other infornnation has been deposited, the valid 
users can be alerted, such as by paging, to indicate that 

45 new information is available; alternatively, the users 
may call in at regular inten/als to check whether anything 
has been deposited. Upon calling in, each user enters 
his PIN code for identification of the user and his partic- 
ular access rights. The entered PIN is checked on the 

50 database 16, as is current standard practice. However, 
if this check is passed, instead of providing the Informa- 
tion to the user, a further level of security is involved. 
Once the entered PIN code has been found to be valid, 
the random number generator 12 generates a random 
55 number. This number is sent by the telephony sen/er 1 0 
to the user, for example (as shown) via a paging net- 
work. This can be done using an automatic modem link 
to the paging bureau; as shown, this Involves the mo- 
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dems 18. 22, the PSTN 20 and the paging system trans- 
mitter 24. The user's contact details, namely paging 
number and bureau, are held on the database 16, This 
route makes it almost impossible for this number to be 
intercepted and cross-referenced with the incoming call 
to the telephony server 10. When the random number 
is received on the user's pager 26, the user enters it by 
way of one of the telephones 1 4 and the system checlcs 
the number against that generated by the random 
number generator 1 2. If correct, the relevant Information 
is provided. After the user has cleared down {terminated 
the call), the random number is no longer held by the 
telephony server 10. Thus the system utilises one ran- 
dom number for a single access attempt only. 

Depending on the means for sending the random 
number to the user, the above operation may be accom- 
plished either in a single telephone call or in two calls. 
In the latter case, the caller could clear down the initial 
call, having entered the PIN code, and await reception 
of the random number. When the number has been re- 
ceived^the caller would ring back, re-confirm his identity 
by means of the PIN code and then enter the random 
number whereupon access would be enabled. 

In addition to accessing information, this technique 
can be used to provide secure access to other telephony 
sen/er applications such as onward call routing. For in- 
stance, to bill international company calls to a company 
account, employees can use a telephony server at a 
company's location to provide the means of dialling in- 
ternationally. The normal level of PIN security may be 
considered insufficient in these circumstances, wherein 
the present random number/one-off pad technique can 
then be utilised. 

Information provided by the telephone sender 10 
may be in the form of voice, fax, data or video formats, 
whereupon the telephones would be replaced or sup- 
plemented by appropriate equipment such as fax ma- 
chines, modems or video receivers. 

Other alerting facilities may be used instead of pag- 
ing; for example SMS (short messaging system) on mo- 
bile telephones may be utilised. Alternatively, the teleph- 
ony server may be arranged to ring back the user on a 
number stored on the database. This is a less versatile 
system but has the advantage that all users do not need 
to carry pagers. 

The database 16 for the PINs may be integral to the 
telephony server 10, as may the modem 18. 

The length of the random number can be set as re- 
quired, depending on the abilities of the transmission 
route to carry this information. Typically, a length of 8 to 
10 digits can be utilised. 

Further security can be added by having an agreed 
format of entry for the random number, such as by en- 
tering the number in reverse order {last digit first) to that 
sent. This stops random number messages received on 
lost or stolen pagers being used by fraudulent users and 
can. in fact, identify Iraudulent use if the correct digits 
are received by the system bul not in the agreed order. 



Claims 

1 . A secure access telephony sen/er system compris- 
ing a telephony server (10) for storing data and/or 
5 providing facilities for retrieval and/or use by an au- 
thorised user via a telephone network, a database 
(1 6) associated with the telephony server (10) and 
holding details of valid PINs corresponding to re- 
spective authorised users, the telephony server 
10 (10) having means inhibiting access tothe data and/ 
or facilities unless a valid PIN held in the database 
(16) is received upon attempted access, wherein 
the telephony server (10) includes means (12) for 
generating a random number upon receipt of a valid 
IS PIN during attempted access, and wherein the sys- 
tem includes means (18) for sending the generated 
random number via a transmission route (20. 22. 
24) determined by the system and intended for the 
authorised user, access being further inhibited until 
20 the generated random number has been received 
by the system from the party attempting access. 

2. A system according to claim 1 . wherein the PIN and 
the generated random number are both receivable 

25 by the system in the same telephone call during at- 
tempted access. 

3. A system according to claim 1 . wherein, in response 
' to a valid PIN entered during attempted retrieval, 

30 the initial call Is then terminated and the generated 
random number is sent, whereupon the system al- 
lows access during a subsequent call upon receipt 
of both the valid PIN and the generated random 
number. 



35 , . o 

4. A system according to claim 1 . claim 2 or claim 3, 
wherein the data is stored infomnation and/or de- 
posited messages. 

40 5. A system according to any one of the preceding 
claims, wherein the facilities provided by the teleph- 
ony server (10) include onward call routing. 

6. A system according to any one of the preceding 
45 Claims, wherein the transmission route for sending 

the generated random number involves a paging 
network (22. 24), the random number being re- 
ceived by a paging receiver (26) associated with an 
authorised user. 

so 

7. A system according lo any one of claims 1 to 5, 
wherein the transmission route for sending the gen- 
erated random number involves a short messaging 
system on a mobile telephone network. 

S5 

8. A system according to any one of claims 1 to 5, 
wherein the transmission route for sending the gen- 
erated random number involves the telephony sen/- 
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er ( 1 0) ringing back the user on a telephone number 
stored on the database (16). 

9. A system according to any one of the preceding 
claims, wherein access is allowed only if the system 
receives the random number in a predetermined or- 
der different to that transmitted to the party attempt- 
ing access. 
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